-
Notifications
You must be signed in to change notification settings - Fork 393
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Re-authenticating a logged-in User? #34
Comments
hmm, yes I see how this could be useful. I could expose a 'validate_credentials(username, password)' method that will only verify that the credentials are correct. |
That would fit the bill perfectly! Would that method be able to be used as a before_filter as well? Thanks for the reply - I'm new to rails and github and really appreciate the community and people I'm meeting. |
I'm reopening until this is fixed :) I'll see what I can do about before_filter... |
Sorry! Didn't mean to close it! |
Why not just require the current password when changing the critical information, all this can be achieved via validations? I currently have something like this (eventho the external? method does not work just yet ^^) # app/models/user.rb
validates_presence_of :password, if: :password_required?
validates_confirmation_of :password, if: :password_required?
validates_length_of :password, within: 5..255, allow_blank: true
# Checks whether a password is needed or not. For validations only.
# Password is always required if it's a new record, or if the password / email (or any other critical information)
# is being set somewhere.
def password_required?
password.present? || password_confirmation.present? || !external? || email_changed?
end i feel like this is the correct way, what good will reauthentication do to someone when i change his email and password, or maybe i just don't understand the UC you described or the validations achieve such |
I think the use-case is this: you are logged in, and away from the computer. |
Well in the end it is just about the validations, most likely it is going to be one form with multiple form groups (non-essential info like username or user profile info and then the essentials, credentials which can be handled via the validations i mentioned ... |
There is already a 'validate_credentials' inside sorcery, called 'find_by_credentials'. find_by_credentials takes an array of credentials and returns a @user or nil. |
I'm a bit of a noob and I'm having a little trouble getting that to work. Here is how I'm trying to call it: This is the error I get: wrong number of arguments (2 for 1) Thanks for pointing this out to me. @panva - I'm probably too much of a rookie to follow how to implement what you're suggesting, but I trust that it's probably better than what I'm trying to do. Would love to continue the conversation, if you feel up to it ever. Thanks! |
surround your params in an array ([]) like this: @user = User.find_by_credentials([params[:email], params[:current_password]]) |
ahh! Thanks! |
User.find_by_credentials seems not work,
|
find a way. can use |
Yes, this should be the 'right' way. User.authenticate is part of the API. |
I apologize if this is the wrong place for this. I have asked on SO, but haven't gotten a reply, perhaps Sorcery is just too new right now.
I have a simple user model with an edit page. Currently you can change your email and your password (with a password confirmation) but I don't currently require you to type your old password again before changing any of that information.
I have a before filter that requires you to be logged in as well as a before filter to ensure you can only edit your own profile. However, in the case of public or shared computers, I would like to re-authenticate a user by making them type their password before they can change any critical account info and I'm having a hard time finding anything in Sorcery that would allow me to do this. Thanks!
The text was updated successfully, but these errors were encountered: